RE: Can we really block users from installing applications through Group policy?

From: SecurIT Informatique Inc. (securit_at_iquebec.com)
Date: 10/08/04

Next message: Harlan Carvey: "RE: Can we really block users from installing applications through Group policy?"

Previous message: Tibor Veres: "Re: Can we really block users from installing applications through Group policy?"
In reply to: Eddie Willett: "RE: Can we really block users from installing applications through Group policy?"
Next in thread: Starks, Brad: "RE: Can we really block users from installing applications through Group policy?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Fri, 08 Oct 2004 14:21:16 -0400
To: Eddie Willett <eddie.willett@richmond.ppdi.com>

While this may look like it's working, it shouldn't take long before a user
discovers that all he have to do to circumvent this measure is to rename
the .exe to something else than setup or install.

Although it won't block excutables at this time, the SIDTk module LogProc
was conceived exactly for this purpose. At this time, it will only detect,
and it is based on a time interval check, which means that this tool will
evolve in many ways in the near future, but the idea behind it is that you
define what is permitted to run on the system, hence anything that is not
part of the list gets flagged.

On the plans for future versions wil be trap monitoring for the launch of
executables, and the ability to prevent unwanted programs from executing.

This tool can be downloaded as part of the SIDTk at
http://securit.iquebec.com/.

Hope that helps.

Adam Richard
SécurIT Informatique Inc.

At 11:02 AM 08/10/2004, you wrote:
>One way that we do this is to not allow programs like setup.exe and
>install.exe to run. This is not a perfect solution but keeps 99% of our
>users from installing stuff. To enable and list the programs you don't want
>run go to User Configuration->Administrative Templates->System->Don't allow
>specified Windows applications in group policy editor. I hope this helps.
>
>Eddie
>
>-----Original Message-----
>From: chang zhu [mailto:cyz2000@yahoo.com]
>Sent: Friday, October 08, 2004 8:46 AM
>To: focus-ms@securityfocus.com
>Subject: Can we really block users from installing applications through
>Group policy?
>
>Hi, all
>
>The users are not local administrators. We configure
>group policy to prevent user installs but it seems
>that it blocks only .msi packages. Users still can
>install applications through ex. setup.exe...Can we
>really block users from installing applications
>through Group policy?
>
>Any idea or thoughts on this?
>
>Plus, if we need to block users from saving .mp3 file
>on their computers, can we do it through group policy?
>
>we are on windows2000 and XP environment.
>
>Thanks always,
>
>Chang
>
>
>
>
>
>
>_______________________________
>Do you Yahoo!?
>Declare Yourself - Register online to vote today!
>http://vote.yahoo.com
>
>---------------------------------------------------------------------------
>---------------------------------------------------------------------------
>
>
>
>
>______________________________________________________________________
>This email transmission and any documents, files or previous email
>messages attached to it may contain information that is confidential or
>legally privileged. If you are not the intended recipient or a person
>responsible for delivering this transmission to the intended recipient,
>you are hereby notified that you must not read this transmission and
>that any disclosure, copying, printing, distribution or use of this
>transmission is strictly prohibited. If you have received this transmission
>in error, please immediately notify the sender by telephone or return email
>and delete the original transmission and its attachments without reading
>or saving in any manner.
>
>
>---------------------------------------------------------------------------
>---------------------------------------------------------------------------
>
>_____________________________________________________________________
>Un mot doux à envoyer? Une sortie ciné à organiser? Faites le en temps
>réel avec MSN Messenger! C'est gratuit! http://ifrance.com/_reloc/m

---------------------------------------------------------------------------
---------------------------------------------------------------------------

Next message: Harlan Carvey: "RE: Can we really block users from installing applications through Group policy?"

Previous message: Tibor Veres: "Re: Can we really block users from installing applications through Group policy?"
In reply to: Eddie Willett: "RE: Can we really block users from installing applications through Group policy?"
Next in thread: Starks, Brad: "RE: Can we really block users from installing applications through Group policy?"
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages

RE: Can we really block users from installing applications through Group policy?
... specified Windows applications in group policy editor. ... Can we really block users from installing applications through ... This email transmission and any documents, ...
(Focus-Microsoft)
RE: Can we really block users from installing applications through Group policy?
... This setting only prevents users from running or installing programs ... specified Windows applications in group policy editor. ... Can we really block users from installing applications through ... This email transmission and any documents, ...
(Focus-Microsoft)
RE: Can we really block users from installing applications through Group policy?
... administrators to developers people will need different access. ... you handle exceptiions? ... Can we really block users from installing applications ... > through Group policy? ...
(Focus-Microsoft)
Re: Can we really block users from installing applications through Group policy?
... Blocking users from installing applications is really a comprehensive ... group of related policies not limited to just Group Policy Objects. ...
(Focus-Microsoft)